 [Jai Vijayan, Contributing Writer](/author/jai-vijayan)March 28, 2025 5 Min Read  is seen on the Oracle website on a laptop computer’) Source: Tada Images via Shutterstock [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist&title=Oracle%20Still%20Denies%20Breach%20as%20Researchers%20Persist)[](mailto:?subject=Oracle Still Denies Breach as Researchers Persist&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Oracle%20Still%20Denies%20Breach%20as%20Researchers%20Persist%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Foracle-still-denies-breach-researchers-persist) Oracle this week steadfastly continued to deny an alleged breach of its Oracle Cloud environment even as some security researchers doubled down on their analysis suggesting otherwise.The conflicting narratives could create a perplexing situation for Oracle customers, creating uncertainty about whether to take urgent security measures or trust the company’s assurances that no breach occurred.Claims and Counterclaims————————On March 21, threat intelligence firm CloudSEK reported that a threat actor known as ‘rose87168’ was attempting to sell approximately 6 million records linked to 140,000 tenants, allegedly obtained from Oracle Cloud Infrastructure’s (OCI) login servers. The data, CloudSEK said, included single sign-on (SSO) and LDAP credentials and customer tenant information, which usually is data tied to a specific customer’s environment (tenant), like their user accounts, settings, and stored content. In its [report](https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants), CloudSEK said its interactions with rose87168 and its own incident analysis suggested the threat actor likely exploited an undisclosed vulnerability in Oracle’s cloud environment to gain initial access. However, the hacker has claimed to have exploited a critical Oracle fusion middleware vulnerability, tracked as CVE-2021-35587, to breach the cloud environment. Related:[Traditional Data Loss Prevention Solutions Are Not Working for Most Organizations](/cyberattacks-data-breaches/traditional-data-loss-prevention-solutions-not-working-organizations)[Oracle flatly denied any breach](https://www.darkreading.com/cyberattacks-data-breaches/oracle-denies-claim-oracle-cloud-breach-6m-records) had occurred and maintained that the credentials the threat actor had published in a cybercrime forum were not for Oracle Cloud. The company insisted that no Oracle Cloud customers had experienced a breach or lost any data. It’s a stance that the company maintained mid-day Friday, March 28, even as CloudSEK and others challenged that claim with more data that supported the hackers claim. In response to a third email request for a response to these claims, Oracle spokeswoman Julia Allyn Fishel on Friday reiterated the company’s earlier denial of the breach. ‘There has been no breach of Oracle Cloud (OCI),’ Fishel said via email. ‘The published credentials are not for OCI. No OCI customers experienced a breach or lost any data.’Conclusive Proof?—————–Meanwhile, CloudSEK [updated their original analysis](https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis) on March 25 after obtaining what they said was a 10,000-line sample of stolen data from the hacker. That sample alone contained data that appeared to be associated with more than 1,500 organizations, indicating a significant breach, CloudSEK reported. The manner in which the data was formatted — for example {tenant}-dev, {tenant}-test, and {tenant} — strongly suggested the hacker had obtained access to production environments in Oracle’s cloud. ‘The volume and structure of the leaked information make it extremely difficult to fabricate, reinforcing the credibility of the breach,’ CloudSEK wrote. Related:[SecurityScorecard 2025 Global Third-Party Breach Report Reveals Surge in Vendor-Driven Attacks](/cyberattacks-data-breaches/securityscorecard-2025-report-surge-vendor-driven-attacks)In comments to Dark Reading, Shashank Shekhar of CloudSEK says his company validated some of the data with customers and there’s little doubt the breach happened. ‘Data revealed encrypted passwords, LDAP configurations, emails, and other information stored on the affected server,’ he says.Oracle’s ongoing denial of the incident increases the risk that affected organizations won’t change their passwords, leaving them vulnerable to future supply chain attacks, he warns. ‘ If you are an active customer, you should rotate passwords immediately, starting from the tenant admin,’ Shekar recommends.Researchers at SOCRadar [reached a similar conclusion](https://socradar.io/oracle-cloud-security-incident-by-rose87168/) after obtaining and analyzing a 10,000-record sample of the supposedly stolen data from the hacker. Ensar Seker, CISO at SOCRadar, says the sample alone is not enough to substantiate the hacker’s claim of having obtained 6 million records. However, the data in the sample set is detailed enough and credible enough to merit serious attention. ‘We believe the data appears consistent with legitimate Oracle Cloud user information,’ Seker says. ‘The presence of user credentials, roles, and other metadata typically found in enterprise cloud environments supports the plausibility of the breach.’Related:[Malaysia PM Refuses to Pay $10M Ransomware Demand](/cyberattacks-data-breaches/malaysia-refuses-10m-ransom-airport-cyber-breach)Additionally, Seker perceives Oracle’s lack of acknowledgement as heightening risks for affected organizations. ‘Without formal notification or context, organizations are left to independently validate their exposure — often without sufficient internal visibility,’ Seker cautions. ‘This creates a reactive environment where companies might overlook subtle Indicators of Attack (IOAs), such as unexpected authentication attempts or irregular access patterns.’If Oracle is aware of any indicators tied to this incident — even without confirming a breach — the company should ideally be providing guidance or metadata patterns that customers can use to validate potential exposure, Seker says. This could include login timestamps, user agent anomalies, or IP ranges linked to suspicious access.A Perplexing Reticence———————-Why hasn’t Oracle responded publicly since its original denial of the incident?Ekrem Celik, cybersecurity researcher at [Black Kite,](https://blackkite.com/blog/oracle-cloud-breach-claims-denials-and-the-reality-of-cloud-security-risks-in-tprm/) speculates that there may be several reasons. One is that the breach may have occurred in legacy or peripheral systems — such as login endpoints — rather than Oracle Cloud’s core infrastructure. This would allow Oracle to technically argue that its main cloud environment wasn’t compromised, Celik argues.Another explanation could be legal and reputational risk management. ‘Confirming a breach could carry major regulatory and customer trust implications,’ he says. ‘Additionally, Oracle may believe that the leaked data is fabricated or sourced from non-production environments, and therefore not representative of a real security incident.’ Like others, Celik says Oracle’s lack of transparency puts customers in a difficult position. ‘It creates uncertainty, delays timely remediation efforts such as credential resets or access audits, and undermines trust in Oracle as a third-party provider,’ he says. ‘TPRM teams are left to operate in the dark, potentially exposing themselves to further risk.’Incidents like this show that in modern technology supply chains, risks don’t just come from technical vulnerabilities. ‘They also come from how quickly and clearly vendors respond during a security event. When there’s a lack of information or delayed communication, it becomes harder for others in the ecosystem to react in time, which can lead to wider, downstream risks,’ Seker says. [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist&title=Oracle%20Still%20Denies%20Breach%20as%20Researchers%20Persist)[](mailto:?subject=Oracle Still Denies Breach as Researchers Persist&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20Oracle%20Still%20Denies%20Breach%20as%20Researchers%20Persist%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Foracle-still-denies-breach-researchers-persist) About the Author—————- [Jai Vijayan, Contributing Writer](/author/jai-vijayan)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill. [See more from Jai Vijayan, Contributing Writer](/author/jai-vijayan) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025* [DPRK’s Hidden Insider Workforce: Their Evolving Tactics + Your Strategy to Detect and Defend](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8046&ch=SBX&cid=_upcoming_webinars_8.500001540&_mc=_upcoming_webinars_8.500001540)Apr 8, 2025* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025[More Events](/events)You May Also Like*** ** * ** ***[Cyberattacks -& Data BreachesSalt Typhoon: A Wake-up Call for Critical Infrastructure](https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoon-wake-up-call-critical-infrastructure) [Cyberattacks -& Data BreachesChina-Backed Hackers Backdoor US Carrier-Grade Juniper Routers](https://www.darkreading.com/cyberattacks-data-breaches/china-hackers-backdoor-carrier-grade-juniper-mx-routers) [Cyberattacks -& Data BreachesAPT ‘Blind Eagle’ Targets Colombian Government](https://www.darkreading.com/cyberattacks-data-breaches/apt-blind-eagle-targets-colombian-government) [Cyberattacks -& Data BreachesNorth Korea’s Lazarus Pulls Off Biggest Crypto Heist in History](https://www.darkreading.com/cyberattacks-data-breaches/north-korea-lazarus-crypto-heist)
Related Tags:
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
APT-C-36
Blind Eagle
M1057 – Data Loss Prevention
TA0001 – Initial Access
Blog: Dark Reading
Associated Indicators: